[CIT-577] Update postinst script of tedge-agent (#436)

* [CIT-577] Update postinst script of tedge-agent
- tedge-agent can execute other plugins than apt

Signed-off-by: Rina Fujino <18257209+rina23q@users.noreply.github.com>

* [CIT-471] Add tests part 1

Signed-off-by: Rina Fujino <18257209+rina23q@users.noreply.github.com>

3 files changed, 85 insertions, 2 deletions

diff --git a/configuration/debian/tedge_agent/postinst b/configuration/debian/tedge_agent/postinst
index 62df6779..437dc09f 100644
--- a/configuration/debian/tedge_agent/postinst
+++ b/configuration/debian/tedge_agent/postinst
@@ -13,10 +13,10 @@ if ! getent passwd tedge-agent > /dev/null; then
 fi
 
 ### Create file in /etc/sudoers.d directory
-echo "%tedge-agent   ALL = (ALL) NOPASSWD: /etc/tedge/sm-plugins/apt" > /etc/sudoers.d/tedge-agent
+echo "%tedge-agent   ALL = (ALL) NOPASSWD: /etc/tedge/sm-plugins/[a-zA-Z0-9]*" > /etc/sudoers.d/tedge-agent
 
 if [ -f "/etc/sudoers.d/010_pi-nopasswd" ]; then
-    echo "%tedge-agent   ALL = (ALL) NOPASSWD: /etc/tedge/sm-plugins/apt" > /etc/sudoers.d/tedge-agent-nopasswd
+    echo "%tedge-agent   ALL = (ALL) NOPASSWD: /etc/tedge/sm-plugins/[a-zA-Z0-9]*" > /etc/sudoers.d/tedge-agent-nopasswd
 fi
 
 # create /etc/tedge/.agent directory
diff --git a/tests/PySys/tedge_agent_user_sudo_access/pysystest.xml b/tests/PySys/tedge_agent_user_sudo_access/pysystest.xml
new file mode 100644
index 00000000..bc9c13e5
--- /dev/null
+++ b/tests/PySys/tedge_agent_user_sudo_access/pysystest.xml
@@ -0,0 +1,25 @@
+<?xml version="1.0" encoding="utf-8"?>
+<pysystest type="auto">
+
+  <description>
+	<title>Validate tedge-agent user has a limited sudo right</title>
+	<purpose><![CDATA[
+]]>
+	</purpose>
+  </description>
+  <classification>
+	<groups inherit="true">
+	  <group></group>
+	</groups>
+	<modes inherit="true">
+	</modes>
+  </classification>
+  <data>
+	<class name="TedgeAgentUserSudoAccess" module="run"/>
+  </data>
+  <traceability>
+	<requirements>
+	  <requirement id=""/>
+	</requirements>
+  </traceability>
+</pysystest>
diff --git a/tests/PySys/tedge_agent_user_sudo_access/run.py b/tests/PySys/tedge_agent_user_sudo_access/run.py
new file mode 100644
index 00000000..2fea6ba6
--- /dev/null
+++ b/tests/PySys/tedge_agent_user_sudo_access/run.py
@@ -0,0 +1,58 @@
+import time
+from pysys.basetest import BaseTest
+import subprocess
+from threading import Timer
+
+"""
+Validate tedge-agent user has a limited sudo right
+
+Given tedge_apt_plugin and tedge_agent are installed
+When we run plugin located in plugin directory as tedge-agent
+Then a plugin is executed
+When we run plugin located out of plugin directory as tedge-agent
+Then a plugin is not executed
+"""
+
+
+class TedgeAgentUserSudoAccess(BaseTest):
+
+    def setup(self):
+        self.sudo = "/usr/bin/sudo"
+
+        self.log.info("Copy apt plugin 'deb'")
+        self.startProcess(
+            command=self.sudo,
+            arguments=["cp", "/etc/tedge/sm-plugins/apt", "/etc/tedge/sm-plugins/deb"],
+            stdouterr="copy_apt_plugin",
+        )
+        self.addCleanupFunction(self.mycleanup)
+
+    def execute(self):
+        proc1 = self.startProcess(
+            command=self.sudo,
+            arguments=["-u", "tedge-agent", self.sudo, "/etc/tedge/sm-plugins/apt"],
+            stdouterr="apt",
+            expectedExitStatus="==1",
+        )
+        self.assertThat("value" + proc1.expectedExitStatus, value=proc1.exitStatus)
+
+        proc2 = self.startProcess(
+            command=self.sudo,
+            arguments=["-u", "tedge-agent", self.sudo, "/etc/tedge/sm-plugins/deb"],
+            stdouterr="deb",
+            expectedExitStatus="==1",
+        )
+        self.assertThat("value" + proc2.expectedExitStatus, value=proc2.exitStatus)
+
+        # To Do
+        # vulnerability check
+        # sudo -u tedge-agent sudo /etc/tedge/sm-plugins/../../../bin/ls
+        # Must be asked a password of tedge-agent
+
+    def mycleanup(self):
+        self.log.info("Remove the copied apt 'deb' plugin")
+        self.startProcess(
+            command=self.sudo,
+            arguments=["rm", "/etc/tedge/sm-plugins/deb"],
+            stdouterr="remove_copied_apt_plugin",
+        )